Lockheed Martin Corp., AT&T Inc., and CenturyLink Inc., are the first companies to sign up for a U.S. program giving them classified information on cyber threats that they can package as security services for sale to other companies.
The Pentagon provides the classified threat signatures to the Department of Homeland Security, which in turn provides them to companies approved to receive such information, Eric Rosenbach, the deputy assistant secretary of defense for cyber policy, said in an interview. More companies are interested in participating in the program, he said.
“The vision is we take something unique that isn’t available in the public domain and give it to the private sector and rely on their ability to innovate, push and market,” said Rosenbach, who previously was a national security adviser to former Senator Chuck Hagel, President Barack Obama’s choice to be the next defense secretary.
The move to create a market based on classified U.S. information about cyber threats follows the failure by Congress in November to pass legislation that would have required companies operating critical infrastructure -- such as electrical grids or telecommunications networks -- to adopt voluntary security standards. The measure was opposed by the U.S. Chamber of Commerce, which argued that the proposed standards might transform into burdensome regulations.
The program to share classified information, called Defense Industrial Base Enhanced Cybersecurity Services, will help U.S. companies get protection that’s not been available in the commercial market, said Alan Paller, director of research at the SANS Institute, a computer-security training company based in Bethesda, Maryland.
A cyber intrusion-prevention service built on U.S. classified information “will absolutely protect companies against things they wouldn’t have been protected against,” Paller said in a phone interview.
Only the Pentagon has “very deep access to people who have been attacked and deep technical skills to analyze” such attacks and develop signatures, or unique characteristics, of a cyber assault, Paller said.
The Pentagon may learn about a particular type of cyber attack on a power company and glean its telltale signs, Paller said. “But how does the government let power companies know” they’re vulnerable? Paller asked. Letting a group of companies with security clearances take that information and sell it to others is “a really good idea, it’s the right way to do it.”
Pentagon officials hope the model will expand beyond critical infrastructure such as power plants to others, said Richard Hale, the Defense Department’s deputy chief information officer.
“The idea was if the government knew something, figure out a way to share it in a way that kept it private but still allowed the protection benefits to flow from that,” Hale said in an interview.
Potential customers for the cyber-threat service must be approved by the Pentagon.
Participation in the program by Bethesda, Maryland based Lockheed Martin combines cooperation with the government and the company’s own technical skills “to better protect our nation and its critical infrastructure from the most serious of cyber threat,” Nettie Johnson, a spokeswoman for the world’s biggest defense contractor, said in an e-mail.
CenturyLink is “seeing strong demand from private companies,” Linda Johnson, a spokeswoman for the Monroe, Louisiana-based telecommunications company, said in an e-mail. She declined to name companies that have expressed interest in buying the service.
Michael Balmoris, a spokesman for Dallas-based AT&T, the largest U.S. telephone company, declined to comment.
The program to share classified information with defense contractors and Internet service providers for resale grew out of an experiment that began four years ago, when the Pentagon and a group of U.S. defense contractors started sharing unclassified information on data loss and securing company computer networks, Hale said.
That initiative, which began with 36 defense contractors now has 71 companies with an additional 22 waiting to join, Hale said.